Skip to content

Commit

Permalink
carbon accounting trivy scan
Browse files Browse the repository at this point in the history
  • Loading branch information
aldousalvarez committed Nov 20, 2023
1 parent 0af2eb1 commit e21594a
Show file tree
Hide file tree
Showing 7 changed files with 110 additions and 4 deletions.
38 changes: 38 additions & 0 deletions .github/workflows/azure-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: azure-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:
build-secure-and-push:
name: Scan cactus-example-carbon-accounting image
runs-on: ubuntu-20.04
steps:
- uses: actions/[email protected]
env:
# (Required) The token to use to make API calls to GitHub.
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

- uses: actions/checkout@v1
- name: Login to DockerHub Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin


- name: Build Images from Dockerfile
run: DOCKER_BUILDKIT=1 docker build -f ./examples/carbon-accounting/Dockerfile . -t cactus-example-carbon-accounting

- uses: Azure/[email protected]
name: Scan image for vulnerabilities
id: container-scan
continue-on-error: true
with:
image-name: cactus-example-carbon-accounting
52 changes: 52 additions & 0 deletions .github/workflows/trivy-container-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: trivy-container-image-scan

on:
push:
pull_request:
# Publish `main` as Docker `latest` image.
branches:
- main

# Publish `v1.2.3` tags as releases.
tags:
- v*


jobs:

build:
name: Scan cactus-example-carbon-accounting table image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: DOCKER_BUILDKIT=1 docker build . -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scan for cactus-example-carbon-accounting
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

build2:
name: Scan cactus-example-carbon-accounting json image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build an image from Dockerfile
run: |
DOCKER_BUILDKIT=1 docker build ./ -f ./examples/carbon-accounting/Dockerfile -t cactus-example-carbon-accounting
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'cactus-example-carbon-accounting'
format: 'json'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,12 @@
"devDependencies": {
"@types/express": "4.17.19",
"@types/fs-extra": "9.0.13",
"@types/http-cache-semantics": "^4",
"@types/json-stable-stringify": "1.0.34",
"@types/uuid": "8.3.4",
"express-jwt": "8.4.1",
"hardhat": "2.17.2",
"http-cache-semantics": "4.1.1",
"http-status-codes": "2.1.4",
"jose": "4.9.2",
"json-stable-stringify": "1.0.2"
Expand Down
5 changes: 3 additions & 2 deletions examples/carbon-accounting/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,9 @@ SHELL ["/bin/bash", "--login", "-i", "-c"]
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
RUN source ~/.bashrc && \
nvm install 16.15.1 && \
npm install -g yarn && \
yarn add @hyperledger/cactus-example-carbon-accounting-backend@0.9.1-ci-942.cbb849c6.35 --ignore-engines --production
npm install --location=global yarn && \
yarn set version 3.6.0 && \
yarn add @hyperledger/[email protected]

SHELL ["/bin/bash", "--login", "-c"]

Expand Down
2 changes: 1 addition & 1 deletion examples/carbon-accounting/supervisord.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ stderr_logfile=/usr/src/app/log/dockerd.err.log
stdout_logfile=/usr/src/app/log/dockerd.out.log

[program:carbon-accounting-app]
command=/home/appuser/.nvm/versions/node/v16.3.0/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
command=/home/appuser/.nvm/versions/node/v16.15.1/bin/node /usr/src/app/examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js
autostart=true
autorestart=unexpected
exitcodes=0
Expand Down
2 changes: 2 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@
"@openapitools/openapi-generator-cli": "2.7.0",
"@types/adm-zip": "0.5.0",
"@types/fs-extra": "9.0.13",
"@types/http-cache-semantics": "^4",
"@types/jest": "29.5.3",
"@types/node": "16.18.41",
"@types/node-fetch": "2.6.4",
Expand Down Expand Up @@ -145,6 +146,7 @@
"google-protobuf": "3.21.2",
"grpc-tools": "1.12.4",
"grpc_tools_node_protoc_ts": "5.3.3",
"http-cache-semantics": "4.1.1",
"husky": "7.0.4",
"inquirer": "8.2.6",
"jest": "29.6.2",
Expand Down
13 changes: 12 additions & 1 deletion yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -6847,13 +6847,15 @@ __metadata:
"@openzeppelin/contracts-upgradeable": 4.9.3
"@types/express": 4.17.19
"@types/fs-extra": 9.0.13
"@types/http-cache-semantics": ^4
"@types/json-stable-stringify": 1.0.34
"@types/uuid": 8.3.4
async-exit-hook: 2.0.1
express-jwt: 8.4.1
fabric-network: 2.2.19
fs-extra: 10.1.0
hardhat: 2.17.2
http-cache-semantics: 4.1.1
http-status-codes: 2.1.4
jose: 4.9.2
json-stable-stringify: 1.0.2
Expand Down Expand Up @@ -7812,7 +7814,7 @@ __metadata:
"@hyperledger/cactus-test-tooling": 2.0.0-alpha.2
"@types/express": 4.17.20
"@types/uuid": 9.0.6
axios: 1.5.1
axios: 1.6.0
body-parser: 1.20.2
cbor: 9.0.1
express: 4.18.2
Expand Down Expand Up @@ -8322,6 +8324,7 @@ __metadata:
"@openapitools/openapi-generator-cli": 2.7.0
"@types/adm-zip": 0.5.0
"@types/fs-extra": 9.0.13
"@types/http-cache-semantics": ^4
"@types/jest": 29.5.3
"@types/node": 16.18.41
"@types/node-fetch": 2.6.4
Expand Down Expand Up @@ -8355,6 +8358,7 @@ __metadata:
google-protobuf: 3.21.2
grpc-tools: 1.12.4
grpc_tools_node_protoc_ts: 5.3.3
http-cache-semantics: 4.1.1
husky: 7.0.4
inquirer: 8.2.6
jest: 29.6.2
Expand Down Expand Up @@ -12905,6 +12909,13 @@ __metadata:
languageName: node
linkType: hard

"@types/http-cache-semantics@npm:^4":
version: 4.0.4
resolution: "@types/http-cache-semantics@npm:4.0.4"
checksum: 7f4dd832e618bc1e271be49717d7b4066d77c2d4eed5b81198eb987e532bb3e1c7e02f45d77918185bad936f884b700c10cebe06305f50400f382ab75055f9e8
languageName: node
linkType: hard

"@types/http-cache-semantics@npm:^4.0.1":
version: 4.0.1
resolution: "@types/http-cache-semantics@npm:4.0.1"
Expand Down

0 comments on commit e21594a

Please sign in to comment.